Attack Patterns on Iot Devices Using Honey Net Cloud

International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-2, December 2019

Attack Patterns on IoT devices using Honey Net Cloud

A R Jayakrishnan, V.Vasanthi

 calculated to fingerprint the IoT malware, and such Abstract: Due to the superfluous growth of IoT devices in the fingerprints could be shared with the community over current digital world, where lots of devices are becoming smart by VirusTotal1. Static and dynamic analysis can be applied for being able to connect internet with many smart features, IoT the malwares those are not been fingerprinted to regulate devices have become the main target of cyber-attacks for the their malevolence [5]. hackers these days. Since the IoT devices are very light in terms of File-less attacks which is also called as non-malware processing power and memory, it has become an easy target for hackers to intrude in to the network easily. The file-less attacks, attacks or zero footprint attacks on IoT things vary from that usually doesn’t require any files to be downloaded and malware based attacks, where they need not download and installed gets bypassed by anti-malwares. Very less effort has been run malware files to infect the IoT devices; but instead they put to learn the characteristics of attack patterns in IoT devices to take benefit of existing vulnerabilities on the victims‟ devices do the research and development efforts to defend against them. and intrude in to the network. For the past few years, This paper deep dives to understand the attacks on IoT devices in progressively more and more file-less attacks were reported the network. HoneyNetCloud has been made with four hardware [6]. McAfee Labs reported that file-less attacks ramped up by honeypots and hundred software honeypots setup that are meant 430% by 2017 [7]. For the PCs, laptops and servers, to attract wide variety of attacks from the real world. Huge range defending file-less attacks can be easily done by using anti of data was recorded for the span of 12 months. This study leads to multifold insights towards developing the IoT Network Forensics malware tools, firewalls and antivirus apps [8]; however, Methodology. since due to the limited computing, storage and memory Keywords: IoT attack, Network Forensics, Honeypots, Digital capacity for the vast majority of IoT things, such antivirus Security, HoneyNetCloud, Intrusion. solutions are not suitable. As the result, file-less attacks stance substantial threats to the IoT ecosystem. Remember I. INTRODUCTION that the IoT things are often deployed in private and sensitive Internet of Things has rapidly enlarged popularity across environments, such as banks, military areas, government a wide range of areas in home automation, industrial smart offices, private residences and healthcare centres. There is sensing and control etc [2]. In general, most of today‟s IoT very limited visibility into their appearances and attack smart devices employs the Linux (eg. Raspbian and vectors at the moment, which hampers research and OpenWrt) for its programmability and prevalence [1]. development efforts to innovate new defence to battle Connected things however incessantly emit stream of data as file-less attacks [9] part of their communication in the network. Meanwhile, the A. Methodology cyber-attacks volume also increases rapidly. This paper therefore concentrates on Linux based IoT things and the In this research, I‟ve used honeypots, which are effective intrusions targeting them. In general, there are two types of to capture the unknown network attacks by attracting attacks on IoT things: File-less attacks and Malware based intruders to the network [10]. Initially, four hardware attacks [3]. honeypots were setup. Each of them was attached with a Malware based attacks are very common these days. remote control power adapter, which has the ability to reset Examples like PNScan, Mirai and Mayday have been broadly the honeypot when it is compromised to attacks. These acknowledged in IoT networks. Popular and commonly used indeed provided valuable insights in to the IoT attacks at the websites like Twitter, Github were inaccessible for many same time they are very expensive to setup too. In order to hours during Oct 2016, when their DNS provider attacked by attract more and more real-time attacks, I‟ve decided to scale Mirai under DDOS attack. This was infected over 1.2 million up the number of honeypots connected in a much cheaper and IoT things over the world [4]. Such alarming incidents effective way by installing virtual honeypots. Hundreds of created high alerts among investigators and researchers about software virtual honeypots were setup that are meant to malware based attacks on IoT systems; Their characteristics attract wide variety of attacks from the real world. With the have been extensively studied over past few years and hence ever growing cloud setup around the globe with various effective defence solutions were developed. For example, the providers, it seemed to be a possible solution for me in my hash MD5 or SHA-n of a malware‟s binary file can be approach as its both economical and practical to implement. However, there are a few practical concerns to this. Firstly, Revised Manuscript Received on December 05, 2019. the software honeypots should behave likewise to the actual * Correspondence Author IoT devices, so that it won‟t miss any sort of attacks. A. R Jayakrishnan*, Research Scholar, RCAS, Bharathiar University, Secondly, they should also be able to depict comprehensive Coimbatore, Tamilnadu. India V.Vasanthi, Assistant Professor, Dept of IT, SKASC, Coimbatore, data of the interaction methods, so that it will become easy to Tamilnadu, India categorize the difficult to track attacks. Finally, they have to go

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3281 & Sciences Publication

Attack Patterns on IoT devices using HoneyNetCloud along with the diverse policies imposed by the cloud attackers. It has been observed that 9231 attacks providers, so that limitations of clouds will not really impact executed commands like lscpu to extract very each other for the coverage of the study results. Hence, the sensitive information. This is derived from the design of the software honeypots was customized by measurements taken from the hardware honeypots incorporating the comprehensions composed from hardware setup as part of the implementation. Whereas in the honeypots, such as the encrypted command disclosure, kernel software honeypots HoneyNetCloud, an average of information masking and data flow symmetry monitoring. 6.9% fewer attacks were captured by the honeypot I‟ve carefully selected eight public clouds to disperse hosted on AWS than other public clouds. This could hundred software honeypots, and group of the developed be because AWS reveals IP range of all its VM system is called HoneyNetCloud. All of the software instances. Some of the malwares like Mirai will not honeypots in the HoneyNetCloud have been employed with infect specific IP range [12]. These comprehensions DD-WRT, which is the best and most popular Linux based were incorporated to improve the effectiveness and OpenSource firmware for IoT devices [11] and is also reliability of the design of HoneyNetCloud. appropriate for customization.In comparison with the . More file-less attacks due to the unique types of hardware honeypot, a virtual honeypot attracts 35% lesser attacks. Most difficult, powerful and dangerous suspicious connections and 37% lesser attacks on an average threats are observed to be file-less attacks. 41.2% of basis. However, the maintenance cost for the software the attacks are considered to be gathering system version is 12 times less compared to that of the hardware information and/or performing activities shutting honeypot. Interestingly, all the attacks trapped by the down firewalls, deactivating watchdog and stopping hardware honeypots have also been captured and trapped by antivirus services etc. This is considered to be done so the HoneyNetCloud, but this is not the other way round. This as to get clear way for consecutive attacks and also to proves the effectiveness of my design in practice. allow more targeted attacks. The pattern of attacks shows that the most favourite attack by hackers is B. Implications discovered from the findings file-less since they are difficult to fingerprint and Honeypots were run for a span of one year (i.e 02/Oct/2018 hence most suitable for cautious attack to 01/Oct/2019). The suspicious connections to the reconnaissance and preparations. In the attack honeypots were around 286 million in the time span of one metrics, there was also a targeted DDoS attack, that year. Out of which, 34 million (11.88%) successfully logged neither touches the filesystem nor run any shell and able to attack. The rest of 88.12% observed suspicious commands, however it manipulates a flock of IoT could not intrude to the honeypots, since they fail to crack the devices and make the attackers not visible to victims. passwords. Among the successful intrusion attaks, 2.5 The anomalous pattern of outbound network traffic is million were classified as file-less attacks and rest of them as the only indication of such attacks. It is highly malware attacks. promising for the existing host based tracking or . New security challenges by the file-less attacks monitoring system to catch it effectively. could be discovered and thus leads to propose new . Classification of eight types of attacks. The detailed defence directions. Most of the captured attacks were study of attack patterns and data captured for the using shell commands, hence they were all detectable duration of one year has provided the way to by auditing the command history in the IoT devices. categorise the IoT attacks in to eight different types. Most of the IoT devices use a readonly filesystem so Due to the lack of malware files and fingerprints, it that the malware based attacks could reduce, however was never an easy task to classify and also to identify this unpredictably increases the difficulty of detecting the attack patterns. However, by carefully correlating the file-less attacks. This presents a new security the disclosed shell commands, recording the traffic challenge in IoT networks. Fundamentally, it is due to flow, monitoring filesystems change and gathering the compromise among the auditability of file-less online thirdparty reports, I was able to empirically attacks and the security against attacks of malware classify the attack patterns. types. Moreover, it has been observed that majority of file-less attacks (i.e 69.1%) are invoked through kill, II. IMPLEMENTATION rm, passwd, ps etc which were all enabled in the honeypots by default. For IoT devices, not all of these HoneyNetCloud – the implementation of the IoT honeypots commands need to be enabled, which eventually includes hardware IoT honeypots and the software cloud creates opportunity to reduce the surface for attacks based IoT honeypots. Structural overview of the by disabling them. HoneyNetCloud is depicted in the figure 1 below. . In order to determine device authenticity, various types of information are being used by the

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3282 & Sciences Publication International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-2, December 2019

Fig. 1. Overview of HoneyNetCloud

A. Overview Honeypot, as the name suggests is a trapping mechanism data to the cloud providers. Those instances can be easily used to attract hackers and monitor the activities. It is recognized and such instances were considered in the considered to be an effective tool that helps to understand analysis done in this implementation. The IoT hardware known & unknown type of attacks. They are widely honeypots were deployed in two different locations as shown deployed and are used by many on the internet [13]. It is not in the below Table 1. Hundred numbers of software a production system which provides services, hence no one honeypots were deployed in various locations around the has really specific reasons to access it. Thus, communication globe from public clouds that includes AWS, Microsoft packets coming in and out of Honeypots should be suspicious Azure, Cloudways, Vultr, SiteGround, Linode, Google Cloud logically. However, this is slightly different in the case of and HostWinds. public cloud since VM instances reports legitimate diagnostic

Table 1: Specifications of the hardware honeypot implementation # City Device and Price CPU Architecture Memory ISP 1 Kerala, India BeagleBone, $67 1 GHz Cortex A8 Processor 512 MB BSNL FTTH 2 Kerala, India Linksys WRT54GL, $69 MIPS Little Endian 200 MHz 32 MB BSNL FTTH 3 Bengaluru, India Raspberry Pi, $40 1.2 GHz ARM Processor 1 GB Reliance Jio 4 Bengaluru, India NetGear R6120, $43 MIPS Big Endian 560 MHz 128 MB Reliance Jio RCPA - Remote Control * For all centres Power Adapter, $30

B. Hardware Honeypots My first step in this implementation was to setup the The cost involved in setting up and maintaining hardware hardware honeypots. As listed in the Table 1, four hardware honeypots are a bit expensive. However, they are effective in honeypots were installed at two locations in India on attracting the hackers. BeagleBone, Linksys WRT54GL, Raspberry Pi and NetGear The design of the IoT hardware honeypot installation is R6120. The cost and the configurations were listed in the illustrated in the figure 2. It consists of three portions i) basic same table. For the duration of one year (Oct 2018 to Oct hardware things that includes NIC, RAM and CPU ii) 2019), hardware IoT Honeypots could attract 15.4 million OpenWrt OS and iii) services to attract intruders. Hardware suspicious attacks. Out of them, 1.9 million suspicious honeypots tracks all the actions of attackers which include the connections could successfully log in and were successful in typed commands or the programs executed by the hackers, attacks. Malware based attacks were 0.85 million and 0.11 and reports all of these to the data collector (as in Figure 2). million of file-less attacks. The remaining 0.94 million could BusyBox, a software suite not be categorized because they did nothing after logging in. providing Unix utilities is used

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3283 & Sciences Publication

Attack Patterns on IoT devices using HoneyNetCloud in the implementation. Shell script named ash is exposed to only thing needed was to rent the base level VM instances to the attackers, so that all their operations can be recorded run the software honeypots. Each VM instance host single when they run the shell commands. The shadow file is software honeypots. So, hundred numbers of VM instances modified and set the root password to root for making it more were setup with the configuration of single core processor of vulnerable for hackers. The Telnet service is setup on port 23 2.2 GHz, 1GB RAM, 20GB of storage with 100 Mbps of by BusyBox and the SSH service at port 22 by DropBear. internet bandwidth. Figure 3 depicts the geographical distribution of software honeypots on cloud. Comparatively, software honeypots are easy to scale up than hardware. Since hardware honeypots require more resources and cost involved is high for setting up and maintenance, software honeypots need only software based solutions. The main impediments I faced during hardware deployment is the infrastructure dependencies. These were the reasons behind smoving on to the cloud based solution for setting up software honeypots so that the limitations faced during the setup of hardware honeypots were resolved.

Fig. 2. Architecture of IoT Hardware Honeypot based on Cloud solution offers the most reliable, scalable and Beagle Bone economical answer to a global scale implementation on a virtual infrastructure. While designing the software based When an attack is identified that intrudes to the honeypot, IoT honeypots, my main intention was to get the reliability as threat information is immediately captured and the honeypot same as that of hardware based honeypot that was setup will be reset to original state. Initramfs is used to mount the before. The same was achieved in the software honeypots root filesystem. Initially its loaded from SD card or flash too. It has been observed that 9321 attacks were attempted to memory and then loaded in to RAM. All the modifications to get sensitive data via software commands like system state will get lost post reset. If the hardware honeypot cat/proc/cpuinfo and lscpu, such commands enable hackers is unresponsive or it doesn‟t report to data collector, then the to find out the software honeypots running in VM instances. honeypot is rebooted to bring it back to normalcy. Even The software honeypots setup was capable to forge the though there is a watchdog to monitor and automatically CPU/system information, making it lookalike real IoT reboot the honeypot, its normally been attacked by hackers devices. It was noticed that there were 192 attacks using using malware (for e.g Mirai) to disable watchdog. Hence, commands for listing connected usb devices (like lsusb) so as RCPA – Remote Control Power Adapter is built to physically to detect the potential honeypots, thus decided to enable reboot the honeypot as shown in the figure 2. It is made of common buses to make sure the fidelity. Power relay, Arduino and Ethernet Module. MQTT protocol is being used by the RCPA [14]. When it gets the reboot command, it enables the power relay to switch off and then switch on the Hardware honeypot. C. Software Honeypots Setting up of hardware honeypots and maintaining them is very expensive compared to software honeypots. Hence, I‟ve decided to scale up the number of honeypots to 100, so that more volume of attacks can be obtained for the research. For the one-year duration, all the 100 honeypots were run on eight public clouds namely AWS, Microsoft Azure, Fig. 4. Architecture overview of software IoT honeypot Cloudways, Vultr, SiteGround, Linode, Google Cloud and and new system HoneyNetCloud. HostWinds. As of Oct 2019, there were 260 million records of suspicious attacks to the software honeypots. Out of this, The architectural overview is illustrated in the figure 4, 14.2% were successful in logging in and effective in attacks. where the power controller and data collector are integrated There were 16.2 million malware based attacks and 1.8 with the hardware IoT honeypots too. Resetting capability of million file-less type of attacks. 13.6 millions of attacks were software honeypot in the power controller is also illustrated not successful as nothing happened after logging in, hence in the implementation diagram. There are mainly three they were not classified to any known types of attacks. modules in the software honeypots: Access Controller, Shell Compared to the hardware honeypots, software honeypots Interceptor cum Fidelity Maintainer and Inference Terminal. are quite cheap as they need only low end hardware and the

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3284 & Sciences Publication International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-2, December 2019

Fig. 3. Geographical distribution of IoT Software Honeypot on public cloud

Access Controller: There needs to be a mechanism to converted to plain text, so that we will know the actual text make sure re-attack by hackers are controlled when a converted. software honeypot is already compromised. Access Reset Manager: It‟s a heartbeat based reset mechanism Controller does the job, which will stop more attacks in to the used in the system, whenever the back end controller receives IoT devices. Setting up proper policies is a big challenge three consecutive missed heartbeats, it will send out the reset here since too stringent policies will block benevolent command to QEMU. Malwares like Mirai can attack and kill requests, whereas liberal policies could create high risk too. the Telnet process service, hence the reset manager regularly Hence, a data driven approach was used here to dynamically tries to connect QEMU via SSH/Telnet. Whenever it notices understand which packets are more malicious prone and the connection fail, then it will reset the QEMU also. which are not. A tool called snort is used in the implementation that runs in host VM instance to monitor in III. RESULTS AND ANALYSIS and out going packets traffic. Asymmetry in the data flow is This portion details the result analysis of the data recorded noted as the potential attacks blocked by public clouds. for the duration of one year i.e from 01/Oct/2018 to Shell Interceptor: Traffic flows in through SSH session. 01/Oct/2019. The overall statistics and the working flows of Firstly, the data packet gets decrypted to plain text. Then the the captured attacks are introduced first, then the detailed packet processor will find out the type of packets study of the attacks and suggestions for defence strategies (CHANNEL_DATA, CHANNEL_WINDOW_ADJUST). against IoT attacks are explained below Plain text data and the resize event data are sent to Inference Terminal for analysis. A. Generic Topographies, Statistics and Analysis Fidelity Maintainer: Its job is to implement the strategies It‟s been generally classified that there are two types of IoT to protect from attackers in recognizing the honeypots. attacks are seen, Malware types of attacks and file-less QEMU - Quick emulator is an open source virtualizer and attacks. Malware type downloads malware file from internet, emulator. It has been used in the software honeypots to whereas file-less doesn‟t download any from internet. Work enrich the reliability. The configuration is customized so as flow of the attacks captured in this implementation is to resemble its emulated IoT device. Though QEMU portrayed in the figure 6 below. There are three stages in it; provides many CPU profiles, the best match with the CPU Intrusion, Infection and Monetisation. metrics of emulated device is selected. No need of emulating disks, since initramfs is used to achieve in-memory filesystem. Moreover, most of the IoT devices do not have disks. Sensitive information is masked in the IoT devices by forging /proc/cpuinfo in OpenWrt, since hackers have the tendency to check through whether the IoT thing is emulated or not by checking /proc. Also, the IP addresses of VM‟s in the eight public clouds were periodically changed by opting elastic IP feature in the cloud services. This is done because IP ranges of public cloud can usually be obtained fully or partially, it could be possible for the hackers to understand Fig. 6. Work flow of the attacks captured. the system based on IP addresses. Inference Terminal: Even though the shell interceptor Intrusion: In this phase, the most common method of acquires plain text data, there may be escape sequences and intrusion observed is brute force, where the attacker tries to control characters to be handled in the data feed. An open login the IoT device with common username and passwords. source tool called pyte is used, which is a terminal emulator. It‟s also found that majority of the IoT devices use default Pyte is customised to get the history of feeds instead of screen credentials that‟s been set from by screen. Special control chars and escape sequences were the factory.

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3285 & Sciences Publication

Attack Patterns on IoT devices using HoneyNetCloud

Infection: After the attacker gets in to the IoT device, they on hardware honeypots were also captured on software cloud use wget or tftp to download the malwares. Usually honeypots too. malwares connect to the C & C (command & control) server Malware based attacks captured in hardware honeypots for the commands. Once it gets the commands, it can perform can be classified in to seven categories as illustrated in the various types of attacks like Telnet/SSH, Dos etc. In the figure 7a. There were 427 various types of malwares file-less attacks, nothing is downloaded, therefore traditional downloaded by the hackers. Whereas software honeypots methods of fingerprinting cannot be applied here. Certain have collected 595 types of malwares and they can be system files are modified and/or port forwarding is setup in classified in to the nine categories as depicted in figure 7b. place of this. Among these, the Mirai takes the major portion – 73.5% and In comparison with the volume of attacks between 81.2% for hardware and software honeypots respectively. software and hardware honeypots, it has been observed that Attacks were targeting multiple architectures of the IoT the software honeypots had 34% fewer suspicious attacks. devices. This is because of two things; clouds prevent certain kinds of In addition to the malware based attacks, HoneyNetCloud attacks (by means of attack filtering) before it reaches the has captured eight various types of file-less attacks too. The honeypot. Secondly, the attackers would have tried some classification is based on the behaviours and intentions of the advanced techniques to gather the VM identity, though many attacks. Figure 7 depicts the categories of the attacks steps were done on newly developed HoneyNetCloud to captured and the percentage of them. Table 2 details each mitigate exposing the VM identity. Nevertheless, the impact type of attack and its analysis. of this on the study is least affected since all types of attacks

Fig. 7. Categories of the attacks captured by hardware and software honeypots in HoneyNetCloud. In figure 7b, only new connection lines relative to those in figure 7a is drawn.

Table 2: Attack types and its behaviours observed  Attacker occupy the end system by taking control of the system.  Modify the password of the IoT device using passwd. Type I (1.8%)  After modifying the password, the attacker gets full control  Also this will make sure that no one else log in to the device other than attacker.  In this type, attacker damages the systems data.  Done by deleting or modifying certain config files and programs using rm and dd  Scenario is removing the watchdog daemon, once removed watchdog device will not function Type II (54.6%) (/dev/watchdog).  Since the device will not reboot when it malfunctions, attacker gets longer time to utilize the system.  Prevention of the auditing or monitoring devices.  E.g is killing the firewall service or watchdog service using kill/service Type III (8.3%)  After stopping the services, attacker gets opportunities to exploit the vulnerabilities that are known and can do whatever intended to do.

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3286 & Sciences Publication International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-2, December 2019

 Gathering system information using lscpu to get the hardware details and using uname, ps and netstat to retrieve system information. Type IV (7.2%)  Details gathered would be useful for attackers to carry out specific purposeful attacks.  For e.g downloading and running system/platform specific malwares.  Stealing sensitive and valuable information by reading passwords and configuration files using cat command. Type V (23.7%)  Though the sensitive details stored (in /etc/shadow) are hashed, however attackers could analyse the behaviours to recover the passwords using tools available in market.  This type is basically launching network specific attacks.  Done by sending HTTP requests to exploit vulnerabilities of the target systems to launch DDoS Type VI (0.4%) attacks  Other most common attacks are SQL injections and OpenSSL Heartbleed  It is unclear that some commands are used for unknown reasons. Type VII (3.4%)  Commands including lastlog, help, sleep, who etc were used which is presumed to be used to collect and analyse other system resources.  In this type, no shell command is used to attack.  SSH Tunnelling is an example where hacker has compromised a device.  When hacker gets the credentials of SSH service by bruteforcing, another device in the network is converted to proxy server by configuring the SSH port forwarding on the compromised honeypot. Type VIII (0.4%)  In order to prevent other machines connecting to the service, attacker binds the SSH port forwarding service to a loopback address and then the attacker launches attack from the compromised IoT device.  The real IP address of the attacker is hidden and hence it is really difficult to track the attacks.  This type is quite challenging due to the anonymity and also that shell commands are not used.

shutting down the firewall or killing the watchdog service B. Key Understandings etc) so that more attacks can be done effectively. With the detailed study done on IoT attacks analysis using Even though the attack vectors studied in this paper are honeypots, I could gather many insights. applicable to general purpose systems (i.e PC/Servers), a) Previous study on IoT attacks were very limited and effects of attacks are entirely different. Since the PCs and it was focused mainly on malwares. Servers are highly protected by strict policies imposed by b) Number of file-less attacks is 10% more than that of organizations, enhanced credentials etc, they are less malware attacks in IoT devices. attacked. c) Study reveals that the weak authentication is the widest reason of the attacks. C. Defence Strategies and Challenges d) Habit of users not changing the default username Firstly, the portion of non-malware attacks that modified and password worsens the criticality. This paves the filesystem of the attacked IoT devices was 54.3% (Type I way to the hackers to remotely get in to the network – II). In order to resist such attacks, manufacturers should for malicious activities. have a policy set to use a non-root default system user. e) Figure 8 lists the top shell commands used by Secondly, 99.6% of Type I-VII file-less attacks were using attackers and its frequencies of usage. shell commands. Such attacks were detected by auditing the shell command trail of IoT devices. Generally, IoT device uses read only filesystem like SquashFS which reduces the malware based attacks, however it eventually increases the risk of detecting the file-less attacks. But, if a hybrid filesystem is used where certain parts of the filesystem is writable like OverlayFS to enable logging, it will enable malwares to download and initiate attacks. Hence this is a tricky situation and is a challenge among the IoT device manufacturers. If the IoT device is not capable in using a Fig. 8. Shell commands used and its frequencies in unique strong password, then such device should not be used percentage connecting to the public internet. Instead VPN can be used if f) It‟s also observed that some of the shell commands users wish to use such device to connect remotely. This are obsolete in IoT device. So, the manufactures can defence strategy would be helpful to harden the security of disable them so the surface of attack can be reduced IoT devices and would assist the manufacturers and to minimum. administrators to validate g) Majority of the file-less attacks (41.2%) are collecting the effectively. system information or de-vaccination operations, (i.e

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3287 & Sciences Publication

Attack Patterns on IoT devices using HoneyNetCloud

IV. CONCLUSION 16. Mallikarjunan. E “Security Operations and Automation in IoT networks” International Cyber Security Conference Hyderabad (2019) Attacks in general has increased abnormally due to the 17. Rohin I.E Pujari Prema T “IoT Based Smart Secured Home Systems” nd many facts including the advancement of technology and the 2 International Conference on Intelligent Data Communication Technologies And Internet Of Things (ICICI 2019) increase of users and smart devices connected to the internet 18. Sundreshan Peramal, Norita Md Norwami and Valiappan Raman. globally. IoT attacks has become drastically dangerous since Internet of Things(IoT) digital forensic investigation model: Top-down the surface to attack increased. Past researches were mainly forensic approach methodology. In proceedings of International Conference on Digital Information Processing and Communications, focused on malware based attacks, however in this paper, Oct 2015 detailed attack analysis of file-less, malwares and other 19. Bogdan Copos, Karl Levitt, Matt Bishop and Jeff Rowe. Is Anybody category of attacks were studied. Malwares like Mirai can Home? Inferring Activity from Smart Home Network Traffic. In proceedings of the conference 2016 IEEE Security and Privacy quickly spread among IoT devices, however they can be Workshops (SPW) May 2016 restricted by fingerprinting. However, file-less creates a major threat in IoT networks, since they are silent intruders and is difficult in noticing them. To understand the patterns AUTHORS PROFILE of attacks, a new infrastructure environment implementation is setup named HoneyNetCloud with four hardware A.R Jayakrishnan received his masters degree MCA honeypots and hundred numbers of cloud based software from Mahatma Gandhi University in 2001, PG Diploma in Cyber Security and Forensics from IFS in 2014 and honeypots deployed in multiple public clouds. The attacks currently pursuing PhD from Bharathiar University. He were captured widely for a period of one year up to Oct 2019 started his career as a Lecturer in Computer Science with and the data collected were analysed in detail. A good range University of Calicut. He has been working in the IT of various types of attacks were able to be captured with industry since 2003 as a Technical Architect and Consultant. His research interests are Cyber security, Forensics, IoT attacks, Intrusion detection and different profiles, characteristics, behaviours and influences. prevention. He has published papers in Springer series, CSI publications and Actionable defence strategies could be derived from the other international journals. He is a life member of Computer Society of study. It is time to think out of the box from the traditional India and IEEE. attacks mainly lurking on malware based. We need to take the file-less types of attacks too in to consideration going forward and a universal defence framework for IoT attacks is Dr (Mrs) V Vasanthi pursued M.Sc (CS), M.Phil and terribly needed at this point in time. Ph.D in Computer Science from Karpagam University, Coimbatore in 2014. She is currently working as an

REFERENCES Assistant Professor in Computer Science with SKACAS, Coimbatore, India. She has published many papers in 1. Dang Fan, Zhenhua Lii,Yunhao Lui, Jingyu yang, “Understanding reputed international journals including Thomsons Rheuters (SCI & Impact File-less Attacks on Linux-based IoT Devices with HoneyCloud” 17th factor) and conferences including IEEE and Springer. Her main research International Conference MobiSys (2019) focus areas are Adhoc and Sensor Networking. 2. Zimu Zhou, ChenshuWu, Zheng Yang, and Yunhao Liu. 2015. Sensorless Sensing with WiFi. Tsinghua Science and Technology 20, 1 (Feb. 2015), 1–6. 3. New Trends in the World of IoT Threats. https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/ 4. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, et al. 2017. Understanding the Mirai Botnet. In Proceedings of USENIX Security.Vancouver, BC, Canada. 5. Ekta Gandotra, Divya Bansal, and Sanjeev Sofat. 2014. Malware Analysis and Classification: A Survey. Journal of Information Security 05 (Jan. 2014), 56–64. 6. MMD-0062-2017 - Credential Harvesting by SSH Direct TCP Forward Attack via IoT Botnet. http://blog.malwaremustdie.org/2017/02/mmd-0062-2017-ssh-direct-tc p-forward-attack.html 7. McAfee Labs: Cybercriminal Tactics Shifting From External Malware Threats to „file-less‟ Attacks. https://www.dqindia.com/mcafee-labs-cybercriminal-tacticsshifting-ext ernal-malware-threats-file-less-attacks/ 8. Now You See Me: Exposing File-less Malware – Microsoft Secure. https://cloudblogs.microsoft.com/microsoftsecure/2018/01/24/now-you see-me-exposing-file-less-malware/ 9. Tips for Guarding Against Untraceable, “File-less” Cyberattacks. http://www.govtech.com/security/Tips-for-Guarding-Against-Untracea ble-File-less-Cyberattacks.html 10. Lance Spitzner. 2003. Honeypots: Tracking Hackers. Vol. 1. Addison-Wesley Reading 11. dd-wrt support documentation https://dd-wrt.com/support/documentation/ 12. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein,et al. 2017. Understanding the Mirai Botnet. In Proceedings of USENIX Security. Vancouver, BC, Canada. 13. Lance Spitzner. 2003. Honeypots: Tracking Hackers. Vol. 1. Addison-Wesley Reading. 14. ISO/IEC 20922:2016 Information technology – Message Queuing Telemetry Transport (MQTT) v3.1.1. http://www.iso.org 15. ISO/IEC 20922:2016 Information technology – Message Queuing Telemetry Transport (MQTT) v3.1.1. http://www.iso.org

Published By: Retrieval Number: B6591129219/2019©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.B6591.129219 3288 & Sciences Publication